Jun 18, 2014 - ... for performance and session capacity that were validated in lab testing of the Sonus SBC 7000 ... eva
Key findings and conclusions:
Lab Testing Summary Report June 2014 Report SR140506
Product Category:
Carrier Class SBC Vendor Tested:
Testing verified that the Sonus SBC 7000 Session Border Controller (SBC) can register 1.2 million Session Initiation Protocol (SIP) user endpoints in 10.2 minutes with no dropped registration requests and can process 1,350 sustained calls per second (cps) - full 24-message SIP calls, with SIP Message Manipulation (SMM) applied - with no failed or dropped calls and with ample remaining CPU and memory The SBC 7000 can sustain 130,800 concurrent G.711 - G.729A transcoded media sessions or 150,000 G.729A pass-through media sessions with no dropped or rejected calls The Sonus SBC 7000 demonstrated powerful encryption for service security, supporting 150,000 concurrent, fully encrypted Secure Real-time Transport Protocol (SRTP) media sessions, as well as 765,000 endpoints via encrypted Transport Layer Security (TLS) signaling connections The SBC 7000 supported a registration refresh rate of 18,116 registers per second, thereby allowing a refresh interval of under 30 sec for 500,000 NAT’ed SIP endpoints The SBC 7000 proved fully resilient against Distributed Denial of Service (DDoS) attacks on RTP streams, maintaining excellent Mean Opinion Score (MOS) ratings and with no dropped calls or system degradation. In addition, the system effectively controls inbound call overloads, successfully completing 1,615 cps from an applied load of over 4,000 cps
S
onus Networks’ SBC 7000 Session Border Controller (SBC) was evaluated by Miercom to verify its call performance and callhandling abilities when subjected to attack traffic conditions.
The test program consisted of three parts: call performance; call performance under Distributed Denial of Service (DDoS) attack; and
Figure 1: Sonus SBC 7000 Session Border Controller Proven Capabilities
Product Tested: Calls Per Second
SBC 7000 Session Border Controller
Transcoded Media Sessions
1,350 130,800
Concurrent Calls with Full RTP Media NAT'ed Endpoints Encrypted TLS Sessions Registered Subscribers (SIP User Endpoints)
150,000 500,000 765,000 1,200,000
Source: Miercom, June 2014
Performance verified. Some of the key metrics for performance and session capacity that were validated in lab testing of the Sonus SBC 7000 Session Border Controller.
Session Initiation Protocol (SIP) registration performance. The SBC 7000 is targeted at service provider and large enterprise deployments of up to 150,000 sessions. Redundancy is inherent with this Sonus SBC. The SBC 7000 offers two active 10GE (10 gigabits/sec) ports, used for signaling and media, and two redundant 10GE ports. There are also two 10GE high-availability (HA) ports for interconnecting to a second SBC for “node failover.” In addition, two 1GE ports are used for management and OAM purposes on the SBC 7000. Two pairs of SBC 7000 platforms were tested. Each SBC 7000 tested was equipped with four Digital Signal Processing Cards (DSP) cards. A total of 11 different tests were performed, demonstrating carrier peering and registration access performance, scale and resiliency. Baseline peering and access performance of the SBC 7000 were assessed for various engineered call loads and overload conditions. The system supports IPv4, IPv6, IPv4/IPv6 interworking, SIP trunking, line-rate DoS/DDoS and Rogue RTP protection, among various other security and signaling features.
Call Performance Max Calls Per Second with Full SIP 24-Message Call Flow With the SBC 7000 configured for carrier peering, Miercom engineers confirmed that the Sonus SBC can successfully accept and process 1,350 calls per second (cps) – with the full, 24-message SIPSIP call flow and with SIP Message Manipulation (SMM) applied to every message.
protocol errors in SIP messages on-the-fly, without requiring changes to firmware/software. The SBC 7000 exhibited no notable difference in normal SIP call processing performance with the SMM rules applied. The SBC still successfully processed 1,350 cps, with none dropped or rejected. This is noteworthy given the role the SBC plays in normalizing different SIP flows. SBCs have traditionally exhibited significant mainline performance hits when also performing message manipulation.
Transcoded Media Capacity and Quality Transcoding is a necessary function in an SBC for resolving incompatibilities between endpoints using different media encodings; without transcoding, a media session is not possible when the endpoints do not share a common codec. Additionally, transcoding is often required when connecting endpoints to a core network that only supports specific codecs. Furthermore, the SBC needs to determine whether transcoding is necessary, and perform it, on a call-by-call basis and at the full scale (and full call rate) without degrading call quality. We evaluated the ability of the SBC 7000 to handle transcoding between G.711- and G.729A-encoded media streams. The Sonus SBC 7000, we determined, could simultaneously handle 130,800 such transcoding sessions. During this load, we also manually placed calls through the Sonus SBC
Figure 2: Sonus SBC 7000 Standard 24 Message SIP-SIP Call Flow
A standard point-to-point SIP call involves 12 SIP messages per call leg (a total of 24 SIP messages if both legs of a SIP back-to-back-user-agent call are counted), as shown in Figure 2. The SMM feature is useful for accommodating differences in SIP protocol implementations between peering entities. SMM is used by a SIP processing to alter incoming or outgoing messages. In this test, the SBC was configured to perform this message manipulation: adding a new header deleting a header using a regular expression match and then modifying the content of the header.
Source: Miercom, June 2014
SMM is primarily aimed at enhancing interoperability between different vendors' equipment and applications, and for correcting fixable
Sonus SBC 7000 handling a standard SIP call flow with 12 messages each per caller and called party.
Copyright © 2014 Miercom
Sonus SBC 7000 Session Border Controller
Page 2
With the SBC 7000 configured for carrier peering, a call hold time of 10 minutes and 130,800 transcoding sessions running, a Navtel component of the EXFO QA-805 test system conducted automated Mean Opinion Score (MOS) measurements on the transcoded sessions. The result: average MOS scores of 4.08 and 4.39 for the G.729A and G.711 streams, respectively. MOS scores over 4.0 are universally considered "toll quality" and well above the norm in most networks today. The SBC 7000's vital signs were measured, and then measured again 10 minutes into the transcoding test. It is especially noteworthy that all calls for this testing were processed using a full 24-message SIP call flow. This level of messaging is more complex, more CPU and memory-intensive, and adds more processing overhead than the minimal SIP call flow. However, this signaling is not uncommon in typical carrier network implementations. Results showed that the Navtel MOS assessment registered no voice quality failures. Furthermore, as previously noted, the audio quality on our own live, manual phone calls was excellent.
Improved Resiliency through Backup 10-Gbps Bearer Ports The next test was designed to test the resiliency of the Sonus SBC 7000 loaded with 150,000 pass-through media sessions after the failover of the primary media link. As before, the SBC 7000 was configured for carrier peering. Then, by issuing a shutdown command via the command line interface, we disabled the active 10GE port that was carrying the bidirectional media traffic to and from the SBC 7000. First, to establish a baseline, we set up 150,000 G.729A pass-through media sessions and also placed a manual call between the two Grandstream videoconferencing SIP phones. We observed an average MOS score on the G.729A call to be 4.08 and the average R-factor rating to be 81.7 (consistent with a 4.08 MOS). We then failed the primary active link, redirecting all the media packets to the standby 10GE port on the same SBC. Copyright © 2014 Miercom
Figure 3: Sonus SBC 7000 G.711-G.729a Codec Mean Opinion Score 5.0 Mean Opinion Score (MOS) Ratings
between two Grandstream GXV3140 videoconferencing SIP phones – as a human/user sanity check – and assessed the audio quality. Call quality was excellent.
4.0
4.39 4.08
3.0
2.0
1.0 G.711
G.729a Codec Type
Source: Miercom, June 2014
Call quality sustained. The SBC 7000 was able to deliver excellent call quality – average MOS scores over 4.0 – on transcoded calls, on calls handled during high overloads, and even during DDoS attacks.
Table 1: EXFO QA-805 MOS and R-Factor VQT (E-Model) R-Factor Minimum 79.9 Average 81.7 Maximum 82.3 Estimated MOS Minimum 4.01 Average 4.08 Maximum 4.10
Using Wireshark, an open-source packet analyzer, we determined that it took only 13.5 milliseconds for the traffic to reroute and the media to be reestablished. In fact, the transition was so brief that there were no dropped calls and the MOS score remained constant at 4.08. We then performed the same failover again, this time reinstating traffic flow from the secondary link back to the primary. Again, there were no dropped calls observed. The failover time was recorded at 14.0 milliseconds, and the same consistent MOS score of 4.08 was maintained. Audio quality on the manual phone call remained excellent and there was no noticeable break in the voice path when the media ports switched from primary to secondary, and then back again. This is
Sonus SBC 7000 Session Border Controller
Page 3
a testament to the resiliency of the Sonus SBC 7000: very fast failover, imperceptible to callers and with continuous excellent call quality.
RTP-SRTP Interworking Capacity The purpose of this test was to verify that the Sonus SBC 7000 could successfully set up and maintain 150,000 simultaneous Real-Time Protocol to/from Secure Real-Time Protocol (RTPSRTP) media sessions, including the corresponding Real-Time Control Protocol to/from Secure Real-Time Control Protocol (RTCPSRTCP) flows. The SBC 7000 was again configured for carrier peering. This time, however, two SBC 7000 appliances were used, and an encrypted SRTP connection was established between them via a single 10GE connection. This arrangement was necessary due to insufficient SRTP capacity in the EXFO test equipment. The EXFO QA-805 generated a high volume of plain – that is, unencrypted – RTP sessions, which were delivered to one of the SBC 7000s. The SBC 7000 encrypted them into SRTP sessions and sent them to the second SBC 7000, which converted them to plain RTP sessions and delivered them back to the EXFO test system. Calls were made using G.729A encoding. This enabled the link to carry many more calls and media streams than if the more traditional G.711 were used since a G.729A media stream requires only about one-fourth the bandwidth of a G.711 call. Once set up in this manner, a total of 150,000 stable G.729A media sessions were established and concurrently running. Each call also included an RTCP control stream, which the SBC 7000s converted to and from encrypted SRTCP. The average MOS score on the G.729A RTP to sRTP to RTP calls was 4.08, the same as if the encryption and then decryption of each G.729A stream was not present. Additionally, no voicequality failures or call errors were recorded or reported by the test equipment.
SIP Call Overload Performance The Sonus SBC 7000 was then subjected to call overload tests, in which SIP call traffic at rates progressively higher than the vendor's specified capacity were delivered to the system. The primary tool used this testing was SIPp, a free open-source traffic generator for SIP-based calls.
Copyright © 2014 Miercom
We first established a performance baseline by delivering call traffic at a rate of 1,350 cps – the level already determined to be a supported rate with no call drops or fails. Each call used a standard SIP-SIP call message flow with the load maintained for 5 minutes. At this level the SBC showed CPU resource usage at 49 percent and memory usage at 10 percent. The call load was then progressively increased by 450 cps, up to three times the engineered load capacity or 4,050 cps. At the high point of 4,050 cps we maintained that load for three minutes and then decreased to 1,350 cps for another five minutes. Performance vital signs for the SBC 7000 were measured and recorded throughout the testing. Table 2 shows the key metrics by load.
Call Performance under Attack Call Performance under signaling DDoS attacks In the next series of tests, malicious attack traffic was directed at the SBC 7000 to determine the effect on the SBC's performance and resource utilization. For this test we used the Ixia XM12 chassis containing the Ixia IxExplorer, version
Table 2: Call Overload Performance Calls Attempts per Second Delivered
CPU Utilization
Average Calls Processed
Memory Utilization
1350
49%
1350
10%
1800
55%
1620
11%
2250
62%
1620
11%
2700
64%
1620
11%
3150
64%
1615
11%
3600
65%
1615
11%
4050
65%
1615
11%
1350
51%
1350
11%
Stable handling of overload. The Sonus SBC 7000 successfully completed an average of 1,615 cps during overload conditions. System resource usage ranged from about 50 to 65 percent for CPU and about 11 percent for memory. Recovery of the system back to the original load of 1,350 cps returned the CPU to 51 percent. Memory usage remained constant throughout the overload tests.
Sonus SBC 7000 Session Border Controller
Page 4
Figure 4: Sonus SBC 7000 Call Overload Performance The Sonus SBC 7000 successfully completes an average of 1,615 cps for applied 3x overload of 4,050 cps with CPU utilization of 65 percent and memory at 11 percent. The SBC was configured for peering.
Source: Miercom, June 2014
6.60.100, Build 5. The SBC 7000 was configured for carrier peering. The malicious traffic consisted of floods of invalid call requests directed at the signaling ports of the SBC 7000. The floods contained INVITE messages with unknown source addresses and others with incorrect header information. The bad INVITEs were packaged in 578-byte frames and filled the bandwidth remaining on the 10G port after valid signaling and media. This volume constitutes a serious DoS attack. This flood contained high volumes of bad requests from 10 different sources, effectively a DDoS attack, where multiple endpoints assault the same network device at the same time. The total DDoS attack was a flood of 1.1 million SIP INVITE requests per second. Before – and during the attack – the SBC 7000 processed legitimate incoming calls at a rate of 1,350 cps and sustained a load of 40,500 concurrent calls. Surprisingly, system resources were not strained: CPU utilization hovered at 53 percent during the attack; memory utilization was 10 percent. Average call latency was measured at 11.53 milliseconds – which is insufficient delay to perceptibly impact call quality. The SBC 7000, it turns out, has multiple protection layers built in, and these prevent any significant system degradation during such attacks. These attacks were effectively thwarted: we observed no call drops, failures, system performance or call quality degradation. The SBC 7000 remained up and available and continued Copyright © 2014 Miercom
processing calls 100 percent of the time before, during and after a DDoS attack of 1.1 million bad SIP INVITE requests per second.
Resistance to DDoS Attack on Active RTP Stream Similar to the DDoS flood attack on the SBC's signaling ports, the SBC 7000 also successfully thwarted attacks specifically targeting the RTP media streams of calls. As before, the SBC was configured for peering during this test. This DoS attack consisted of two types of packets: ICMP Echo (pings) and User Datagram Protocol (UDP). Frame size was set to 667 bytes and the load filled the bandwidth remaining on the 10G port after valid signaling and media. The average MOS scores for G.711 before the attack were measured at 4.38. During the attacks, we observed less than one percent degradation in MOS score. Voice quality essentially remained at 100 percent, and there was no impact on system performance. Through several types of heavy DoS attacks, transcoding, heavy call overload, and even call encryption, the SBC 7000 demonstrated in our testing that it could readily control all of these situations without impacting legitimate call volume or quality, or degrading system performance.
Registration Performance Maximum Endpoint Registrations Miercom engineers applied tests to see if the SBC 7000 could process and maintain the registration of
Sonus SBC 7000 Session Border Controller
Page 5
1.2 million SIP user endpoints. The SBC was configured for access usage, accepting call requests directly from user endpoints.
endpoints are obscured, and calls out onto the network use a different, temporary address assigned by the NAT.
For this test the EXFO QA-805 wireless/IMS and VoIP platform delivered two simultaneous streams of registration requests – one registering 602,000 SIP user endpoints and the other 598,000 – on two 10GE ports to the SBC 7000. All registration requests were successfully processed; none were rejected or dropped. The testing verified that the SBC 7000 readily handles the registration of 1.2 million SIP user endpoints.
The SBC will typically establish and then maintain these IP translations through the NAT, and in so doing maintain endpoint IP connections for incoming and outgoing calls. This requires frequent registration refreshes (for example, every 30 seconds) to keep the intermediary NAT pinholes open.
Registration Avalanche The purpose of this test was to verify that the Sonus SBC 7000 can register all 1.2 million endpoints within a reasonable timeframe, as would be the case in a city-wide power loss/restoral, or a non-HA reboot scenario. As in the previous test, the SBC 7000 was configured for access scenarios. Using the EXFO QA-805 wireless/IMS and VoIP test platform, registration requests were delivered by two EXFO test systems at a rate of 1001 and 999 per second, respectively, onto two 10GE ports of the same SBC 7000 – an aggregate rate of 2,000 registration requests per second. Testing verified that 1.2 million SIP endpoints registered successfully in just 10 minutes and 12 seconds (10.2 minutes) with CPU utilization at 49 percent and memory utilization at 14 percent, as shown in Table 3.
Fast Registration Refresh SBCs configured for access deployment often get involved in network address translator (NAT) traversal. This is an added network security measure where the IP address of SIP user
Table 3: Registration Performance Performance Metrics Total SIP User Endpoints Registered Registration Time
1.2 million 10.2 minutes (612 seconds)
CPU Utilization
49%
Memory
14%
Registration Rate
Copyright © 2014 Miercom
2,000 per second (delivered via two 10GE ports)
With the SBC 7000 in access configuration, testing successfully demonstrated that the SBC can register 500,000 NAT’ed user endpoints, and then maintain each endpoint using a 30-second refresh interval. Table 4 summarizes the test findings.
Table 4: Fast Registration Performance Performance Metrics Total NAT’ed Endpoints
500,000
CPU Utilization
6.3%
Memory
10%
Refresh Interval Registration Refresh Rate
30 seconds 18,116 per second
Maximum TLS Access The purpose of this testing was to verify that the SBC 7000 could support 765,000 user endpoints connected to the SBC via secure Transport Layer Security (TLS) connections. TLS connections are the equivalent of Web Secure Sockets Layer (SSL) connections and provide encrypted and authenticated communication for the VOIP signaling. For this testing the Sonus SBC 7000 was configured for SIP Registration access. On the EXFO test system, 765,000 SIP user endpoints were set up. TLS connection and registration requests were then issued to the SBC 7000 from each simulated endpoint. The SBC 7000 had to establish the TLS connection and then process the registration. The number of maximum supported concurrent TLS-based endpoints and the TLS-based registration rate were carefully measured. Testing revealed that 765,000 TLS-connected endpoints were indeed concurrently supported. A maximum registration rate (including the setup of the TLS connection) of 1,100 per second was measured. Then calls were set-up via the TLS
Sonus SBC 7000 Session Border Controller
Page 6
tunnels: A maximum of 508 cps were successfully processed and a total of 45,720 concurrent calls were sustained. The SBC 7000's CPU utilization for this testing was 30 percent and memory utilization 24 percent. The TLS performance results are summarized in Table 5.
Table 5: TLS Access Report Performance Metrics TLS Registrations per Second Supported
1,100
TLS-based access connections concurrently supported
30%
Memory Usage
24%
TLS-based Call Establishment Rate
Bottom Line The Sonus SBC 7000 maintained high levels of call processing rates, with low system resource usage, and proved to be remarkably resilient to several types of malicious attack.
765,000
CPU Utilization
Our testing examined many aspects of the SBC7000 that address reliability and resilience, security, continued uptime and high call quality under all conditions we tested. The SBC 7000 exhibited excellent resilience and continued performance and call quality under all the highduress scenarios tested, including two prolonged DoS attacks.
508 Calls per Second
Concurrent Calls sustained via TLS
SBC. The standby SBC immediately took over as the primary. There was some loss of transient calls that were being set up at the moment, but the SBC 7000's peak call processing rate of 1,350 cps continued undiminished. The interruption was incredibly brief – one of the fastest we have ever seen for an SBC hot failover. The media-stream switchover time, from initiation of the failover to the takeover of calls by the standby SBC, was a mere 14 milliseconds.
45,720 Calls
Node Failover Test For this test, two SBC 7000s were configured for carrier peering – one was deployed in the role of primary, the second as its hot standby. The primary SBC 7000 was presented a full load of 144,000 calls on a recurring (cycling) basis, and calls were being established at the high-end rate of 1,350 cps. Once set up, a failover command was issued through the command-line interface to the primary
The SBC 7000 performed very well in high load conditions. In peering scenarios, we verified that the SBC 7000 successfully completes 1,350 cps and 130,800 transcoded or 150,000 pass-through media sessions. In access scenarios, we verified registration support for 500,000 NAT’ed endpoints and 765,000 endpoints registered via secure TLS connections. The SBC 7000 also simultaneously supported 1200 cps for UDP endpoints and a test bed-limited 500 cps for TLS endpoints.
List of Test Equipment Used Name
Function
Version
Sonus SBC 7000
Device Under Test (DUT)
Release 4.1
EXFO QA-805 Ixia XM12 and IxNetwork
Wireless, IMS & VoIP Test tool; traffic call and load generation Rackmount chassis housing Ixia IxNetwork test system; DoS testing
Release 9.3 6.60.100 Build 5
SIPp SIP UA Simulation
SIP call-traffic generation
v 3.4
RStudio
Open source development environment for R programming
0.98.507
Netgear ProSafe XSM7224S
L2 Switch
9.0.1.29
Wireshark
Packet and traffic analysis
Stable release 1.10.7
Copyright © 2014 Miercom
Sonus SBC 7000 Session Border Controller
Page 7
Test Bed Diagram
TEST TOOLS
SYSTEM UNDER TEST
EXFO QA-805 Release 9.3
Sonus SBC 7000 Release 4.1
Netgear ProSafe XSM7224S
Ixia XM12 IxNetworks
SIPp SIP UA Simulation Tool
Grandstream Networks GS-GXV3140 IP Multimedia Phone
Source: Miercom, June 2014
How We Did It Sonus SBC 7000 Session Border Controller, running Sonus SBC Release 4.1, was evaluated in a test configuration that included two Netgear ProSafe XSM7224S L2 switches running OS version 9.0.1.29 (boot version 10). All of the Sonus SBC 7000 fiber and copper interfaces used for SIP signaling or media connected via the Netgear switches. The SBC 7000 received simulated traffic during this testing from an EXFO Quality Assurer QA-805 Wireless/IMS (IP Multimedia Subsystem) and VoIP test platform. EXFO (www.exfo.com) is a leading provider of next-generation test and service-assurance solutions for wireless and wireline network operators and equipment manufacturers throughout the global telecom industry. The EXFO QA-805 Release 9.3 with Navtel R14 Release 8.3.1.62 was used for generating: registration requests; calls (performing both caller and called-party roles); SIP Invite floods; registration floods; and for call analysis. The Navtel SIP PS Performance Application was used as a proxy server and registrar for the accessverification tests. The Sonus device under test was controlled by a Sonus SBC 7000 management console. The EXFO QA-805 was controlled by a Navtel management console. Security and DoS prevention features on the Sonus SBC 7000 were configured in accordance with the vendor's DDoS prevention configuration guide and the SBC 7000 user guide. An Ixia XM12 chassis, which was running IxExplorer version 6.60.100, Build 5, was used for two security tests. The tests in this report are intended to be reproducible by customers who wish to recreate them using the appropriate test and measurement equipment. Current or prospective customers interested in repeating these results should contact
[email protected] for details on the configurations applied to the device under test and the test tools used in this evaluation. Miercom recommends customers conduct their own needs analysis for session border control functionality and test specifically for the environment they expect to support, prior to making a product selection.
Copyright © 2014 Miercom
Sonus SBC 7000 Session Border Controller
Page 8
Miercom Performance Verified This lab testing verified the peering and access performance and capacity capabilities of the Sonus SBC 7000 Session Border Controller. The Sonus SBC 7000 successfully registers up to 1.2 million SIP user endpoints, sustains 150,000 concurrent calls with full RTP media, and processes calls at a rate of 1,350 cps. The results show that the SBC 7000 meets or exceeds the vendor's published product specs. Tests also found that the Sonus SBC 7000 is resilient and reliably maintains calls and call quality when exposed to malicious attack traffic, overloads, or when performing encryption or transcoding. In addition, the SBC 7000 recovers quickly from power outages. Miercom is pleased to award the Certification to the Sonus SBC 7000.
Performance
Verified
Sonus Networks, Inc. 4 Technology Park Drive Westford, MA 01886 1-800-GO-SONUS http://www.sonus.net
Sonus SBC 7000 Session Border Controller
About Miercom’s Product Testing Services Miercom has hundreds of product-comparison analyses published over the years in leading network trade periodicals including Network World, Business Communications Review, Tech Web - NoJitter, Communications News, xchange, Internet Telephony and other leading publications. Miercom’s reputation as the leading, independent product test center is unquestioned. Miercom’s private test services include competitive product analyses, as well as individual product evaluations. Miercom features comprehensive certification and test programs including: Certified Interoperable, Certified Reliable, Certified Secure and Certified Green. Products may also be evaluated under the NetWORKS As Advertised program, the industry’s most thorough and trusted assessment for product usability and performance.
Report SR140506
[email protected]
www.miercom.com
Before printing, please consider electronic distribution
Product names or services mentioned in this report are registered trademarks of their respective owners. Miercom makes every effort to ensure that information contained within our reports is accurate and complete, but is not liable for any errors, inaccuracies or omissions. Miercom is not liable for damages arising out of or related to the information contained within this report. Consult with professional services such as Miercom Consulting for specific customer needs analysis.
Copyright © 2014 Miercom
Sonus SBC 7000 Session Border Controller
Page 9
